What is a WAF?
A Web Application Firewall is software that helps protect web applications (websites, APIs, etc.) by filtering and monitoring HTTP traffic between the server and the Internet. The WAF serves as a shield by filtering traffic coming to the server through it, and only after the HTTP requests pass a series of predetermined “rules” are they forwarded to the server. Thus the traffic arriving at the server is “clean” traffic, not malicious.
How does WAF work?
The Internet is based on the TCP/IP model, also called the four-layer model (or 5 layers).
The model specifies the operations required to transmit data in the computer communication network and is basically an abstract application of the older OSI model, which consists of seven layers.
The WAF is another external wall, located in the seventh and outer layer of the OSI model.
The “rules” that the WAF uses are protocols designed to protect the application against the exploitation of known vulnerabilities.
Blocklist vs Allowlist in WAF
There are two approaches to creating WAF protocols. The blacklist approach filters traffic according to known attacks. This model is considered easier to implement, but this approach is often not very efficient, because the WAF will have to be updated regularly.
In contrast, WAF protocols that rely on allowlists will only accept authorized traffic to reach the server, like a security guard at the entrance to a VIP party. This model requires effort in the initial stages of defining the allowed traffic, but will not require many updates. Furthermore, automatic learning can also be used.
What does WAF protect against?
As stated, the WAF protects against known application attacks. The OWASP Project is an Internet community that provides information, articles, methodologies, and tools in the field of application web security. Perhaps the most well-known document of the community is the OWASP Top 10 – the ten most severe threats to application sites, for the current year. A small part of the distinguished list includes:
This attack uses vulnerabilities in websites based on java scripts, which is basically any website these days.
SQL injection – very similar to its predecessor, this attack also injects code into sensitive areas on the site, for example, form fields and search fields. When performed on an unprotected site, it can extract information such as usernames and passwords from the site’s database.
An insecure cryptographic database – some network applications don’t use proper encryption for sensitive information such as a credit card number or an ID number. In the event of a hack, the user’s information will be exposed to the hacker as raw unprotected data, instead of encrypted.
Denial of service DDOS – An attempt to make an internet service – such as a website – unavailable to its users, usually by temporarily disrupting the server on which the website is located – hence its name “denial of service attack”. There are many types of DDoS, but the principle is to flood the website and its server with malicious traffic that will cause downtime due to overload by using many devices that were once hacked and exploited without the knowledge of the device user.
The popularity of the WAF stems from the ease of its implementation – most developers don’t specialize in cyber security, and many organizations don’t have the resources to invest in separate security procedures such as penetration tests.
The WAF, on the other hand, does not require changes to the source code of the application, and in fact, it can be defined as a plug-in for the server that mediates between the browser and the server.